This put up supplies a template to encourage the design of your personal vendor safety questionnaire mapping to NIST SP 800-53. For an editable model of a vendor questionnaire mapping to NIST 800-53 revision 5, obtain this NIST 800-53 danger evaluation template.
Vendor Questionnaire Template: NIST SP 800-53Note: Cybersecurity gives a NIST 800-53 vendor questionnaire that mechanically highlights alignment gaps based mostly on vendor responses to help an environment friendly compliance technique. For probably the most reliable provide chain danger administration program, it’s extremely really helpful to handle your vendor safety questionnaires on a scalable answer like Cybersecurity.
Learn the way Cybersecurity streamlines Vendor Danger Administration >
Safety and Privateness Applications AssessmentThis part evaluates the energy of a vendor’s set of insurance policies governing their safety and privateness packages.1. Does your organization have a developed safety program in place?1 (a). In case you answered Sure, does this program deal with the whole scope of digital data being processed within the group?Safety ControlThis part evaluates the energy of a vendor’s safety management technique and its skill to guard personal information from compromise.1. Do you present a discover to your prospects advising them the way you deal with and defend personally identifiable data PII?1(a). In case you answered Sure, present a duplicate of this coverage, both by pasting it within the free textual content area under or appending it to this accomplished questionnaire.1 (b). In case you answered No, describe compensating controls which can be in place or clarify why you don’t take into account this to be a safety danger.1 (c). In case you’re within the strategy of implementing an exterior coverage describing the way you deal with and defend personally identifiable data, advise the estimated timeframe for when this can be accomplished.2. Do you’ve inner documentation outlining how one can safely deal with delicate buyer information?2 (a). In case you answered No, describe compensating controls which can be in place or clarify why you don’t take into account this to be a safety danger.3. How usually are inner audits of your safety and privateness program performed?Each three monthsEvery six monthAnnuallyFree Textual content Field4. Do you’ve a coverage in place for mitigating the safety dangers posed by cell gadgets?5. Have you ever carried out a danger evaluation program?5 (a). In case you answered Sure, how usually are danger assessments accomplished for every vendor?QuarterlyBi-AnnuallyAnnuallyOther (specify under)Free Textual content Discipline
For an outline of an idealistic danger evaluation workflow, watch this video.
Get a Free Trial of Cybersecurity >
6. Do you’ve a coverage for prioritizing vital distributors in danger evaluation plans?6 (a). In case you answered Sure, how do you establish which distributors must be prioritized?7. Do you’ve a cybersecurity answer for steady monitoring of assault surfaces to find rising dangers, both internally or throughout your service supplier community (real-time monitoring)?7 (a). Do you’ve a vulnerability scanning instrument in place for locating rising assault vectors throughout all internet-facing belongings?8. Do you’ve safety insurance policies for mitigating insider risk dangers?9. How do you guarantee onboarded distributors meet your safety necessities as outlined by your danger urge for food?10. Do you’ve any distributors at the moment exceeding your danger urge for food baseline?11. Do you incorporate penetration testing in your technique for sustaining a resilient management baseline?11 (a). In case you answered Sure, how usually do you carry out penetration checks?QuarterlyBi-AnnuallyAnnuallyOther (specify under)Free Textual content FieldPersonnel SecurityThis part evaluates the likelyhood of workers facilitating safety incidents.1. Do you retain an up-to-date file of all worker consumer accounts and their respective entry management ranges?2. Do you’ve a coverage in place making certain delicate information is barely accessed on a need-to-know foundation?3. Do you’ve a coverage in place making certain solely licensed customers have entry to delicate assets?4. Do you’ve a strategy in place for shielding privileged consumer accounts?5. Do you’ve contingency plans in place for when privileged consumer accounts are compromised?6. Are authorities contractors and knowledge safety assessors required to signal congenitally agreements to make sure buyer information stays protected?7. Do you’ve formal administration processes of system safety plans for shielding account authentication data, reminiscent of passwords and digital certificates?8. Are consumer account entry ranges frequently reviewed?8.1. In case you answered Sure, how usually do these evaluations occur?QuarterlyBi-AnnuallyAnnuallyOther (specify under)Free Textual content Field9. Do your workers full cyber risk consciousness coaching frequently?9 (a). In case you answered Sure, how usually does this coaching happen?QuarterlyBi-AnnuallyAnnuallyOther (specify under)Free Textual content Field9 (b). In case you answered Sure, present a top level view of what’s lined in every coaching module.9 (c). In case you answered Sure, does your program administration coverage frequently replace this coaching?For an editable model of a vendor questionnaire mapping to NIST 800-53 revision 5, obtain this NIST 800-53 danger evaluation template.10. Does your bodily and environmental safety coverage guarantee all technique of bodily and digital entry to your community are revoked from offboarded contractors and workers, together with distant entry?Regulatory ComplianceThis part will show you how to consider the extent of danger your distributors pose to your regulatory compliance efforts.1. Listing the entire rules you’re certain to2. Do you’ve a course of in place for monitoring rising regulatory necessities?3. Do you’ve a course of in place for monitoring regulatory compliance gaps, internally and throughout your vendor network4. Do you’ve a system for prioritizing vital regulatory compliance danger remediation duties?
Study extra about NIST compliance >
Infrastructure SecurityThese questions will show you how to uncover safety dangers related to a vendor’s IT Infrastructure.1. Do you’ve configuration administration instruments enabling safe configuration settings?2. Do you facilitate distant entry to your infrastructure?2 (a). In case you answered Sure, do these distant entry mechanisms bear safety testing to uncover probably exploitable vulnerabilities?3. Do you’ve a patch administration program for conserving your community infrastructure secured with the newest patches?3 (a). In case you answered Sure, do you automate patch updates?4. Do you conduct safety management assessments for evaluating the cybersecurity of your cloud infrastructures?4 (a). In case you answered Sure, how usually do these assessments happen?MonthlyQuarterlyBi-annuallyAnnuallyOther (specify under)Server SecurityThis part evaluates the chance of a vendor’s servers performing as assault vectors facilitating information breaches.1. Do you comply with a server hardening protocol?1 (a). In case you answered Sure, present an outline of the hardening course of.2. How do you guarantee your servers are protected with the newest safety patches?3. Which working techniques are your servers working on?Unix (together with Linux, Solaris, and so on.)4. Are servers housing delicate information segmented and inaccessible by basic entry customers?
Study extra about community segmentation >
5. How usually is your checklist of privileged entry customers audited?MonthlyQuarterlyBi-annuallyAnnuallyOther (specify under)6. Describe how your server backups are saved
For instance, on disks, detachable drives, different servers, and so on.
7. Listing the entire geographical places of your servers (together with backup servers).8. How usually are these backups examined?MonthlyQuarterlyBi-annuallyAnnuallyOther (specify under)Free Textual content FieldEmail SecurityThese questions will show you how to perceive the chance of a vendor being compromised by an email-based cyberattack.1. Describe the safety controls you’ve in place for defending in opposition to email-based assaults.2. Have you ever suffered any email-based assaults within the final 12 months?2 (a) When you have, had been any of those assaults profitable?
In that case, describe the affect of the assault.
3. Are your emails encrypted whereas in transit?
For instance, utilizing Transport Layer Safety (TLS).
Shopper Workstation SecurityThis part will uncover the chance of endpoints performing as assault vectors and uncover safety enhancement potentials.1. How do you guarantee shopper workstations and distant endpoints are hardened in opposition to cyber threats?2. Does your Incident Response Plan deal with conditions the place distant endpoints are compromised?3. Choose the varieties of gadgets and knowledge system elements lined with malware safety.Cellular DevicesWindows workstationsNon-windows workstations4. Do any distant endpoints or workstations share passwords?5. Do any workstations use default administrative passwords?6. Do you’ve a media safety coverage defending in opposition to malware injections from exterior gadgets (reminiscent of USBs and exhausting drives)?Knowledge ManagementThis part evaluates the safety of the seller’s information administration technique.1. Do you utilize an energetic listing instrument to trace delicate data throughout expertise techniques?1 (a). In case you answered Sure, does this energetic listing instrument additionally monitor delicate information shared with third-party companies?2. Do you’ve separate community segments on your sensiitve information and delicate information belonging to your prospects?Asset ManagementThis part evaluates the energy of the seller’s asset administration technique, which may reveal missed assault floor areas weak to compromise.1. How do you guarantee your IT asset stock stays up-to-date?2. Do you’ve an assault floor administration program in place to guard IT belongings from compromise?2 (a). In case you answered Sure, how do you monitor the performance and efficacy of your ASM program?3. Do you frequently preserve stakeholders knowledgeable of your assault floor administration efforts?4. How do you guarantee system and knowledge integrity is maintained throughout your IT belongings when a cyber risk breaches your community?
For an outline of how an Assault Floor Administration technique may cut back your danger of struggling an information breach, watch this video.
Get a Free Trial of Cybersecurity >
Streamline NIST 800-53 Questionnaire Administration with Cybersecurity
The Cybersecurity platform gives customizable safety questionnaires mapping to the NIST particular publication 800-53 and plenty of different common rules and requirements, together with DORA, NIST CSF and ISO 27001.
Questionnaires on the Cybersecurity platform.
To start out monitoring vendor compliance with NIST 800-53, you’ll be able to obtain this free NIST 800-53 danger evaluation template.
